Knowledge Base

Search Knowledge Base

KB #240124: Using Encryptionizer for SQL on a Cluster

Type:

Summary:

Encryptionizer for SQL is cluster safe, but the installation and configuration are not cluster-aware. With a few steps, you can install and configure Encryptionizer while minimizing down-time.

Additional Information:

Reference Nodes as follows:

Node 1: Initially Active Node

Node 2: Initially Passive Node

Login to Node 2 (passive node). We recommend you examine the application log and take care of any errors before proceeding.

Confirm that Node 2 is indeed not active and does not control cluster resources.

Install Encryptionizer for SQL Server following prompts in setup program. Register the software using the registration information provided.

Reboot Node 2.

Run the Encryptionizer Administration Wizard (secadmin.exe) to enable Encryptionizer: set the encryption key that will be delivered to SQL when this instance is active. You will choose the local instance that is part of the cluster instance.

When you select Finish, you may be presented with the following: “Warning: The Encryptionizer Admin Wizard detected the selected MSSQL Server instance may not be completely stopped. The Wizard will complete but Encryptionizer will not take effect until the MSSQl Server instance has been restarted (Status Code = 4)”. Select OK at this point to proceed.

(Optional) Reboot Node 2 to clear any memory halts. If you reboot, wait for the node to completely come back online.

Failover from Node 1 to Node 2, so Node 2 is now active and Node 1 is now passive.

Log in to Node 1 (now passive).

Install Encryptionizer for SQL Server on Node 1.

Reboot Node 1.

Enable Encryptionizer on this node, as performed above on Node 2, using the same key profile information as before.

Failover from Node 2 back to Node 1 so Node 1 is active and Node 2 is passive.

On the active node, run the “Install NetLib APIs” from the NetLib Encryptionizer Main Menu. Make sure you are connecting to the Cluster node at this point and not the local instance.

To see that keys are delivered to the running SQL cluster, and also check that API’s were added properly, run following command in a SQL Server Management Studio query window:select master.dbo.fn_n_keycount()A value > 0 indicates Encryptionizer is successfully configured, and at least 1 key is being delivered to the SQL Cluster.

For Whole Database Encryption, continue with the next step. For Column Encryption, continue below.

For whole database encryption only, for any database to be encrypted, take it offline to encrypt using the Encrypt/Decrypt Wizard. See the Whole Database Administration Guide for more information.

For Column Encryption, you may now use the Encryptionizer Col-E Manager to encrypt columns.

After all updates are made, perform new backups of databases including master.